The security of your company relies on a sound digital infrastructure and an IT team that can support it. However, as we’re about to explore below, it’s an organization’s end users that tend to make or break security efforts. This is why security awareness for your end users must become a company priority. If you don’t take this issue seriously, it’s only a matter of time before a cybercriminal is successful with an attack.

Who Are End Users?

When we talk about security awareness for end users, we’re referring to the type that needs to be focused on employees whom hackers may target. Basically, anyone with an Internet connection can inadvertently provide access to your company’s sensitive information if they are not trained to do otherwise.

Why Security Awareness for End Users Is So Important

In one word: phishing.

There are definitely other reasons why it’s important to make security awareness for end users a priority, but the only one you should really need to convince you of its place as a priority should be this common attack.

For those who are unaware of the term, the definition of phishing is any ploy to solicit sensitive information (e.g., passwords, social security numbers, etc.) by pretending to be an authority figure or familiar person.

The classic example is when someone receives an email with their “new password” from an individual claiming to be from the IT department. When the recipient responds that they’ve complied and changed their password, the cybercriminal can strike. They now have access to that person’s email address and can use it for all kinds of nefarious purposes.

Sadly, this is only one of countless versions out there. Criminals have even begun doing them over the phone.

The scariest element of a phishing attack is that anyone can do them and they can be absolutely brutal in terms of fallout.

To actually be a hacker takes an impressive degree of technical acumen. Many cybercriminals could find gainful, legal employment just about anywhere in the IT field. Instead, they take their skills and use them for crime.

On the other hand, all you need is an email address or just a phone and a weak moral character to be successful with phishing. Even if you’re unsuccessful at first, you have any number of employees to attempt your scheme with. Phishing is a numbers game, but it’s one that usually favors the criminal party.

Then, there’s the fact that phishing can bring serious damage down on an organization. Accessing a low-level employee’s email inbox may not seem like it would have such dire implications. However, if all the criminal walks away with is information they can use to phish someone a step up in the corporate ladder, their attack will have been worth it.

Keep in mind, too, that at least for some period of time, the criminal will be able to impersonate their victim, which could lead to gaining plenty of sensitive information.

It’s also worth bringing up spear phishing. If the original version sounds a bit unrefined, spear phishing is a far more precise attack, as the name suggests.

A spear phishing attack takes far more research on behalf of the criminal, for one thing. That’s because this ploy is far more sophisticated. The criminal wishes to impersonate someone specifically, so they’ll need to figure out certain details about them that will make this possible. They may go through the target’s Facebook, LinkedIn and other online profiles to ensure they come across as believable as possible.

This sort of specificity boosts a spear phishing attack’s chances of success. However, what’s worse is that the amount of time spent on this frontend research is usually justified because the reward will be so much more valuable.

Security Awareness to Protect Against Phishing

The truly frustrating thing about phishing attacks is that they should be so easy to protect against. Always make sure you know who’s sending you an email and, if they ask for anything even remotely suspicious, call them to make sure they are indeed the ones who sent the message.

Unfortunately, we wouldn’t need to write this piece if that sort of caution was practiced regularly.

It should be your company’s security awareness goal to make sure end users begin doing so.

The first step is awareness. Your people need to understand what phishing scams involve and what to look for so they’re not fooled.

You should also make sure they understand the consequences of falling for such a scheme. Again, phishing can lead to all kinds of bigger problems. The idea is to get your people to take these sorts of attacks seriously. If they don’t, you’ll become a victim.

Encourage people to come forward when they think they’ve been targeted. No one should ever feel embarrassed for being wrong about this.

More than anything, your company must have a regular calendar of activities, programs, and reminders that make phishing a threat your staff is intimately aware of. These attacks only work when people aren’t being vigilant.

Device Protection

Again, that’s not to say that phishing is the only way your company can suffer. Another very important area we need to cover in our discussion on security awareness for end users is in respect to device protection.

Your end users are connected to the World Wide Web in a number of different ways. This includes:

  • Laptops
  • Desktops
  • Smartphones
  • Tablets

Again, these are all potential doorways through which a cyber criminal could access your company’s infrastructure and cause serious problems.

The obvious risk with those last three devices is that they can simply be stolen, even at the office. This is why security awareness for end users must address proper methods of securing them, especially for workers who travel for business.

That’s not the only way these devices can be compromised, though. This is why security awareness needs a robust approach where this risk is concerned. Layers of your security awareness device plan should include training and support from management.

Like any form of security awareness, handling the threats that face company devices requires a top-down approach. Management must be on board and they must make it a priority.

At the very least – literally, the very least – your company needs a policy regarding the use of devices provided to staff. This must include everything from where these devices must be stored and what they can be used for. Sadly, many companies have a policy that touches on cyber security, but it hasn’t been updated to reflect the use of devices that can be taken out of the office.

Your policy for end users should include:

  • Its purpose
  • Program-level and issue-specific policies
  • The responsibilities of the end users
  • Compliance standards that spell out what the consequences will be for not following the policy, regardless of whether or not an attack is successful

In order to give your policy the best chance of succeeding, it needs to be:

  • Implemented
  • Enforced
  • Free of unreasonable constraints on employee productivity
  • Concise and easy to understand

Again, a policy is the least you can put forward. Just as with preventing phishing attacks, you should also go out of your way to make sure end users are constantly reminded about potential threats.

By now, the challenge that your end users are up against from malicious parties should be clear. Therefore, let’s now move on to looking at some of the features your company’s end user security awareness efforts should entail.

Keep in mind that every company is different. However, the following are effective traits, no matter what industry you’re in.

Never Become Complacent

This may seem like an obvious piece of advice, but it needs to be reiterated because it really is that important.

As we mentioned before, a lot of companies have added wireless devices to their inventory without updating their policies about how end users should use them. This speaks to the type of problem a lot of organizations are facing.

Still, even if your security policies have been updated to reflect these devices, you must make the updating of this document a priority. In terms of awareness, you should be constantly thinking of ways you can stress this through your policy. Then, again, it must be implemented.

Security awareness also involves making certain that your staff is aware of your company’s policy, too. This should happen during new hire orientation. At least once a year, all of your employees should have to review the policy and again if they ever receive use of a wireless device. Obviously, any time the policy is updated, staff should go through the changes.

Invest in Security Awareness

Whether or not a company is taking security awareness for their end users seriously is pretty clear simply by looking at their budgets. Have they set aside money to make sure their employees are aware of the risks and how to defend against them?

Too many companies spend the bulk of their IT security budgets on security software. Those platforms do no good, though, when the user can be manipulated into allowing the attacker access.

Regular Testing Must Be Done

As two of our experts pointed out in an earlier post on end user security awareness, testing must be a priority, as well. This is the only way to make sure your efforts are truly producing results. The only alternative is finding out you’ve been compromised.

Some companies even conduct drills in which someone will try to phish their employees simply to see if they’d fall for it. Many businesses have formed to handle these tests for companies. They may represent one of the best possible tests you could use for the sake of assessing your efforts.

Keep Everyone Updated About the State of Cyber Security

There are two reasons we recommend this element. The first is that whoever is in charge of creating your end user security policy must understand the evolving landscape of threats. They can’t possibly do a good job of protecting your organization if they don’t even know what’s out there.

As far as your end users go, regular reminders are an excellent way to make sure they continue to keep security a priority. They, too, should be reminded of new forms of attacks, but you also want them to see the fallout that occurs after a cybercriminal is successful.

Don’t simply highlight the ones you see in the headlines, either. Ideally, you want to show them examples that will resonate because they happened in your industry or to companies similar in size, etc. Sure, knowing that Target or the government can be hacked shows how serious these attacks are, but it’s also too easy for most end users to think that kind of thing would never happen to them.

Security Awareness

Make It Easy to Receive Feedback

Once you begin instituting a serious push for security awareness amongst end users, you have to expect some false alarms. People with the best of intentions will report phishing attempts that are actually from benign sources, for example. This should be encouraged. You want people erring on the side of being overly cautious, so make sure no one is allowed to feel embarrassed for coming forward when they were mistaken.

You also want to give employees an opportunity to report potential vulnerabilities anonymously. A staff member may know that one of their coworkers isn’t properly securing their device when on the road, but they don’t want to deal with the consequences of reporting them.

If you invest in an anonymous way for them to come forward with their report, you’ll be able to address the problem.

Furthermore, this relates to security awareness, because it will give you a clear idea of which topics may need to be better addressed to keep these issues from happening again in the future.

Don’t wait to begin addressing security awareness amongst your end users. Every day you put it off is another day your organization could be brought down. Begin with updating or creating a policy and then start implementing it across your staff.

Sources

http://resources.infosecinstitute.com/end-user-security-awareness-best-practices-12-experts-weigh-in/#gref

http://resources.infosecinstitute.com/end-user-chapter-6/#gref

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan